Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using an ACL to restrict access to a server

We're trying to restrict access to a server by only allowing a limited number of hosts to access the server. It seems like it would be a pretty simple ACL, something like this (assuming the server is 10.10.10.100):

permit ip host 10.10.10.1 host 10.10.10.100

But where should we apply it? We'd planned to apply it on the interface that directly connects to the server, but it appears we can only apply it inbound on that interface (i.e. it would apply to traffic sourced from the server, inbound into the switch). So do we have to apply it to the VLAN on which the server resides, using it with a "permit ip any any" at the end to allow other traffic to flow freely over the VLAN?

8 REPLIES
Hall of Fame Super Blue

Re: Using an ACL to restrict access to a server

Patrick

You should apply it outbound on the vlan interface that is the server vlan ie. -

access-list 101 permit ip host 10.10.10.1 host 10.10.10.100

access-list 101 permit ip host 10.10.10.20 host 10.10.10.100

access-list 101 deny ip any host 10.10.10.100

access-list 101 permit ip any any

int vlan 10

ip access-group 101 out

the above will allow hosts 10.10.10.1 & 20 to talk to the server 10.10.10.100

then all other traffic to the server is denied

then all other traffic is allowed to the server vlan

Jon

New Member

Re: Using an ACL to restrict access to a server

Thanks very much, Jon. That was exactly the answer we were looking for.

Hall of Fame Super Blue

Re: Using an ACL to restrict access to a server

Glad to have helped.

New Member

Re: Using an ACL to restrict access to a server

I used to work with the original poster and I need to add another host to the above acl. I simply added the extra lines:

access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any

But I can't get it to work and can't seem to find an answer online anywhere that makes sense to me.

Hall of Fame Super Silver

Using an ACL to restrict access to a server

We do not have very much to work with here. When you say that you added extra lines does that mean that you went into config mode and input the lines shown in your post? If so than probably the issue is that IOS adds additional lines to an existing access list at the bottom of the existing access list. And since the existing access list ended with permit ip any any, then any lines that you add below that will have no effect.

If that does not seem to explain your issue then I suggest that you post the relevant parts of the configuration as it exists. And a better explanation of what is not working would also help. Is the issue that no one can get to host 10.10.10.200? Or is the issue that everyone can get to that host? Or what is not working as you expect it to?

HTH

Rick

New Member

Re: Using an ACL to restrict access to a server

Hi,

The sequence of the access-list statements is important.

Could you please show the sequence of the statements?

Regards, Rahul.

New Member

Using an ACL to restrict access to a server

I deleted the existing acl and added this:

access-list 101 permit ip host 10.10.10.1 host 10.10.10.100

access-list 101 permit ip host 10.10.10.1 host 10.10.10.200

access-list 101 permit ip host 10.10.10.20 host 10.10.10.100

access-list 101 permit ip host 10.10.10.20 host 10.10.10.200

access-list 101 deny ip any host 10.10.10.100

access-list 101 deny ip any host 10.10.10.200

access-list 101 permit ip any any

int vlan 10 (10.10.10.0/24)

ip access-group 101 out

I was able to reach 10.10.10.100 from a restricted IP but not 10.10.10.200

Hall of Fame Super Silver

Using an ACL to restrict access to a server

Thanks for the additional information. Deleting the existing access list and then creating it again with the added statements is the correct way to change it. From a syntax perspective I would say that your access list is correct. So my next question is which restricted IP are you testing from? And is your test using the same restricted IP to access both of the servers?

The overall approach of Jon's access list is certainly correct. You want to permit the specific hosts that can access the server, then you need to deny all other access to the server, and then you need to permit everything else. But there is a significant flaw in its detailed implementation.  The source addresses are in subnet 10.10.10 and the server destination is also in subnet 10.10.10. This means that the sources and the destinations are all locally connected. And we do not have any capability to restrict connections within the local subnet..

The approach that Jon suggests works well if the source addresses are in remote subnets and are attempting to access the server through the VLAN interface where the access list is applied. This access we can control very well with the access list. So my question to you now becomes are you testing from a device that is outside of the 10.10.10 subnet or from a device that is in the 10.10.10 subnet?

HTH

Rick

212
Views
0
Helpful
8
Replies
CreatePlease login to create content